Category Archives: Privacy Basics

Phishing is a deceptive method in which a criminal sends an email or text that mimics or claims to be from a trusted source (such as a bank, or the Internal Revenue Service, or the Better Business Bureau, or the Federal Trade Commission) in an attempt to steal personal and financial information from you – such as a social security number, credit card number, account number or password.

This scheme only works if the perpetrator convinces you to go from the email or text to a bogus website. Below are some tips on how to spot a phishing email. Once you spot it, delete it.

Act Now! Online scammers prey on vulnerabilities. One trick is to create a sense of urgency by convincing you that something bad has happened (or will happen) and you need to act quickly or there will be dire consequences. For example, they might threaten to close your account or take other action against you if you don’t act quickly.

Phishing Expeditions Request Your Personal Information. Remember, the aim of a phishing expedition is to get you to surrender your personal information. Be especially suspicious if you are asked to update your information; that’s a very common ploy.

Link is Forged. Don’t be duped by a web link that appears to be legitimate just because you may recognize some part of the business name in it. That doesn’t mean it links to an official website. One trick to ferret this out is to scroll over the link and see if it matches the sender’s email address. If not, that’s your answer.

“S” stands for “Secure.” Only provide personal or financial information through a website if you have personally typed in the web address directly into the browser yourself, and the site appears to be secure. Tip: Websites that are safe start with “https:” – where the “s” stands for secure. If you don’t see “https:” it’s probably not a legitimate website.

Spear phishing is a more sophisticated form of phishing. In the case of spear phishing, the presumed sender of the email an individual within your company and it’s generally someone with authority like a “System Specialist” or “Network Administrator.” Spear phishers target sensitive confidential information of the company. Frequently, the email or text will request you to either log in to a bogus web page that requires the employee’s user name and password, or to click on a link (that will initiate the download of spyware or malware on your computer or the company’s network).

Tip: If you don’t recognize or have doubts about the identity of the email Sender, you should look them up on your company’s directory or contact your supervisor.

Takeways

Once you’ve spotted a phishing message, delete it.

If you accidentally click on the phishing link and a program downloads on your computer or network, contact your tech support department right away.

Add signature blocks to your emails so that you’re easily identifiable as a company employee. Include name, title and phone number so you can be contacted directly.

The social networking and gaming site RockYou.com was hacked in December 2009 and suffered a severe data breach, which exposed personal information including email addresses, passwords and photos of 32 million users. Of that 32 million, 179,000 were children. The situation went from bad to worse for RockYou when the hacker posted on the Internet a snippet of the data he obtained, showing that RockYou’s user account data were stored in plain text in its database and not encrypted. Unencrypted personal information is basically like catnip to a hacker and from a risk perspective, the company was in deep trouble. Compounding its problems, RockYou handled the communication to its users and the public horribly and this incident was a public relations disaster for the company.

The magnitude of the data breach drew the attention of the Federal Trade Commission (FTC). The FTC is the federal agency responsible for enforcing laws that protect online consumers. The FTC is especially proactive when the personal information of children is compromised. RockYou is one company on a growing list of companies that the FTC has aggressively pursued for violating the Children’s Online Privacy Protection Act, known as COPPA, which the FTC enforces. In short, COPPA requires that before a website collects, uses or shares personal information it receives from a child under 13, the website operator must get verified parental consent (commonly referred to as “email plus” verification method). The rule also requires websites to post a clear, understandable and complete privacy policy on their site.

Here, the FTC investigated and found that RockYou’s information security practices were deceptive, posing a significant risk to consumers and that the company had violated COPPA by gathering personal information from kids under 13 over a two-year period without obtaining the mandatory parental consent. In addition, the company failed to spell out in its posted privacy policy how the information it collected would be used or shared. Finally, RockYou was faulted for not maintaining reasonable security procedures to prevent breaches like the one that occurred. The FTC came down hard on RockYou for its mistakes. According to a proposed settlement order with the FTC announced on March 27, 2012, RockYou must pay a $250,000 penalty for COPPA violations, implement a data security program, and submit to security audits every other year for 20 years. In addition, the company it is barred from any further violation of COPPA and prohibited from making deceptive claims regarding privacy and data security.

The takeaways? This is a story about the consequences of a company’s deceptive business practices, failed data security program and clearly a lack of preparedness when faced with a large scale data breach. Aside from the $250,000 fine and attorneys’ fees the company must pay, the other economic costs here are lost business costs and the widespread damage to RockYou’s reputation and brand caused by this catastrophic breach.

Welcome to Privacy Matters, a Nolo blog devoted to information privacy and data security issues as they relate to small businesses and consumers. Information privacy covers the rules that apply to the gathering and handling of “personal information” — in other words information that can be traced to a particular individual, like geolocation information, credit information, or health records.

Privacy law varies by industry, state, country, transaction and customer and is complicated. Through blog posts and an ongoing series of Nolo primer articles, I hope to provide general, useful information about fundamental privacy principles and best practices that Internet, technology and bricks and mortar businesses need to be aware of, as this area of law can be a field of landmines for the unknowing.

Class action lawsuits and Federal Trade Commission enforcement actions against tech titans like Facebook and Google, and high-profile data breaches jeopardizing that private data of millions of individuals and tarnishing the reputations of scores of companies like Sony, Heartland Payments Systems and RSA Security — have thrust privacy onto the front pages. It’s important for small business owners to recognize that the same rules that have gotten large companies into trouble apply to small businesses as well. When it comes to privacy, an once of prevention is, in fact, worth a pound of cure.